SMS Pumping Is Draining Your 2FA Budget — and Mobile-Originated iMessage 2FA Fixes It
If you send SMS one-time codes, there's a decent chance you're paying scammers to phone-spam themselves on your dime. It even has a name: SMS pumping . And it's not a rounding error — Elon Musk claimed Twitter was losing ~$60M/year to fake 2FA traffic before they killed SMS 2FA for free accounts. Here's how the scam works, why SMS 2FA is structurally expensive, and why flipping the direction — mobile-originated (MO) 2FA , taken to its logical end over iMessage — fixes both the cost and the fraud at once. What is SMS pumping? SMS pumping (also called AIT — Artificially Inflated Traffic , or SMS toll fraud ) is a scheme where bad actors abuse a form that sends SMS one-time codes. They pump thousands of phone numbers — usually premium ranges they secretly control with a telecom — into your "send me a code" endpoint. You pay for every one of those messages. A cut of that termination fee flows back to the fraudsters via the carrier. The "users" never log in. They were never users. The entire point was to make your verification endpoint dial a meter that pays them. The structure that makes this possible is simple: you, the company, send (and pay for) the message. Every code is revenue for someone in the delivery chain — so there's a direct financial incentive to trigger as many as possible. Why SMS 2FA is expensive even without fraud Even with zero abuse, application-to-person ( A2P SMS ) is a bad cost curve: You pay per message. Volume spikes — a launch, a bot attack, an international audience — turn into surprise bills. International is brutal. Cross-border A2P carries steep carrier surcharges that vary wildly by destination. Carrier fees and registration overhead. In the US you're funneled through A2P 10DLC registration, brand vetting, and per-segment fees before you send a single legit code. So your 2FA line item is pay-per-event , unpredictable , and exploitable . Three bad properties for something that's supposed to be boring infrastructure. The Twitter/X case This